Configuring the PE Console to Use a Custom Diffie-Hellman File

A newer version is available; see the version menu above for details.

The “Logjam Attack” (CVE-2015-4000) exposed several weaknesses in Diffie-Hellman (DH) key exchange, a commonly used method for encrypting and negotiating secure Internet connections via shared keys. Diffie-Hellman key exchange is used by many Internet protocols, including HTTPS, SSH, and IPsec, SMTPS. For reference, see https://weakdh.org.

To help mitigate the “Logjam Attack,” PE ships with a pre-generated 2048 bit Diffie-Hellman param file.

In the case that you don’t want to use the PE default DH param file, the following procedure shows how to generate your own.

To generate a custom DH param file:

Note: In the following procedure, <PROXY-CUSTOM-dhparam>.pem can be replaced with any file name, except dhparam_puppetproxy.pem, as this is the default file name used by PE.

On your PE console server, (for a mono install, this is the same node as a the Puppet master), run the following command: